cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
132
Views
5
Helpful
3
Replies
Highlighted
Frequent Contributor

Best designs to use for providing reachability to remote sites/customers utilizing private IPs?

If you connect to multiple sites or are a transport or service provider for multiple sites that are using private IP addresses meaning some may overlap and/or be the same (e.g. 10.10.10.0 for customer A and B) what would be the best options in terms of routing. Let's say your infrastructure is small meaning maybe you don't want to do a mbgp/mpls backbone type infrastructure if you only have a couple devices or something, would perhaps configuring vrf light route leaking be the best way to go? 
Would still just building an mpls infrastructure still be best option if lets say you only have 2 routers meaning I guess they act as PE and LSR (if that is even supported)?

Also, what if you have IPSEC tunnels or something and you infrastructure is using the same subnet the remote end is using or wants to use such as 10.10.10.0 /24 what would be the best options as to my knowledge that would not be supported unless I am mistaken??

3 REPLIES 3
VIP Advisor

Re: Best designs to use for providing reachability to remote sites/customers utilizing private IPs?

Hi

For ipsec, you can do natting of source subnets to solve the overlapping issues.

Now for the rest, if you want to transport meaning keep contained communications between customer B without being able to communicate with customer A and the invert, the best solution would be to build a mpls cloud (you can have a single router acting as PE and P). It will be simpler to maintain and to scale it in the future. If you have a shared zone, then you need to make sure services in this zone don't have overlapping subnets and so use the carrier reserved subnet 100.64.0.0/10 which is rarely used in a LAN.

If customer A and B needs to talk together, then you'll need to do natting.

You're post is high level and based on this, what I think fits better is what I said previously. But sure there can be other options if we have more details on what you want to do.

Does that make sense?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Frequent Contributor

Re: Best designs to use for providing reachability to remote sites/customers utilizing private IPs?

Awesome Francisco yes it does make sense.

So basically, if let's say you have an existing network that provides services as I mentioned, however right now the network is small as I mentioned (idk like 1 router and 1 switch), but you want to be able to scale easily and/or more efficient if needed in the future, I am just trying to decide what the best type of implementations would be - yes I was thinking just to go ahead and do mpls with MBGP instead of let's say VRF light or something. What other good scalable options you mentioned would there be besides these?

Also when you say shared zone, are you talking about let's say systems that must be accessed by these customers (DNS, Apps, etc.) and not between two remote customers who must communicate correct?

Highlighted
Hall of Fame Master

Re: Best designs to use for providing reachability to remote sites/customers utilizing private IPs?

You ask 2 questions and the second one is easier, so let me start with it. If you have ipsec tunnel or something to a peer and that peer has a subnet that is the same as a subnet in your network such as 10.10.10.0/24 then one side or the other must do address translation. I have worked with customers in this type situation and while we normally think of not translating site to site vpn traffic it is certainly a supported feature to translate that traffic. I have done it and it works.

 

I am less clear about your first question. If you are a service provider or a transport provider I would think that it would be a priority to implement something that scales effectively. And something like vrf lite is probably not such a good choice. If you have a fairly small infrastructure perhaps something like GRE tunnels, or perhaps multi-point GRE might allow you to connect sites and have them communicate private address to private address. But as part of this question you bring up the possibility that customer A and customer B might be using the same private IP subnet. In that case one (or both) will need to do address translation (or you might need to do the translation for them).

HTH

Rick